General

  • Target

    944246c622b25e20ac2b929b025868ab_JaffaCakes118

  • Size

    650KB

  • Sample

    240813-w8bfwsvbjm

  • MD5

    944246c622b25e20ac2b929b025868ab

  • SHA1

    c17c3069aed87448c050d70938fef531b9e4f142

  • SHA256

    5bec625d37415824f7716f239573721837985fdeb2a2f9d4c769f878c089e622

  • SHA512

    cdbad2dacd1cb82792396bd55b84e24ebc684150e68fa9a4b81fa2b77808f38276399c8b0036174fbbee647b60c3f276579a850a7d6fe09b0ccbb3ab65303482

  • SSDEEP

    12288:dk0QNlxOnizg37k4LUSd0rv5WvYW5HMzLXj9pqQd7cqESAYi991fA/aVj:u0QpGih4bd0rv5+l5szLXj917cqPu91T

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

mrtarek.no-ip.biz:1604

Mutex

DC_MUTEX-HJA8DWM

Attributes
  • InstallPath

    MSDCSC\windows.exe

  • gencode

    uqavWxJ9fK1E

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    MicroUpdate

Targets

    • Target

      944246c622b25e20ac2b929b025868ab_JaffaCakes118

    • Size

      650KB

    • MD5

      944246c622b25e20ac2b929b025868ab

    • SHA1

      c17c3069aed87448c050d70938fef531b9e4f142

    • SHA256

      5bec625d37415824f7716f239573721837985fdeb2a2f9d4c769f878c089e622

    • SHA512

      cdbad2dacd1cb82792396bd55b84e24ebc684150e68fa9a4b81fa2b77808f38276399c8b0036174fbbee647b60c3f276579a850a7d6fe09b0ccbb3ab65303482

    • SSDEEP

      12288:dk0QNlxOnizg37k4LUSd0rv5WvYW5HMzLXj9pqQd7cqESAYi991fA/aVj:u0QpGih4bd0rv5+l5szLXj917cqPu91T

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks